Bug 1037142 - VUL-0: CVE-2017-7476: emacs: gnulib: Out-of-bounds write by setting a large TZ variable
VUL-0: CVE-2017-7476: emacs: gnulib: Out-of-bounds write by setting a large T...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Dr. Werner Fink
Security Team bot
https://smash.suse.de/issue/184455/
:
Depends on:
Blocks: CVE-2017-7476
  Show dependency treegraph
 
Reported: 2017-05-02 09:49 UTC by Marcus Meissner
Modified: 2017-06-19 13:11 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-05-02 09:49:37 UTC
Emacs uses the *time_rz functions from gnulib which are affected by this problem.

+++ This bug was initially created as a clone of Bug #1036636 +++

rh#1445185

An out-of-bounds heap write vulnerability was found in date. Maliciously crafted TZ variable could be used to run arbitrary code as the user running date.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1445185
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7476
Comment 1 Marcus Meissner 2017-05-02 09:51:56 UTC
Only Factory affected, Leap and SLE have older emacs with older gnulib versions.
Comment 2 Dr. Werner Fink 2017-05-02 10:34:00 UTC
(In reply to Marcus Meissner from comment #1)
> Only Factory affected, Leap and SLE have older emacs with older gnulib
> versions.

Why is this a bug of GNU Emacs ... AFAICS this is from gnulib, which is with libg a shared library.
Comment 3 Dr. Werner Fink 2017-05-02 10:44:30 UTC
nm -D /dist/unpacked/head-x86_64.full/usr/bin/emacs-* | grep time_
                 U gmtime_r
                 U localtime_r
                 U gmtime_r
                 U localtime_r
                 U gmtime_r
                 U localtime_r

... no time_rz
Comment 4 Dr. Werner Fink 2017-05-02 10:46:53 UTC
(In reply to Marcus Meissner from comment #0)

> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7476

CVE ID Not Found

A vulnerability has been identified, and possibly a CVE has been assigned, why is it not in your database?
Comment 5 Marcus Meissner 2017-05-02 10:48:05 UTC
gnulib (not to be confused with glibc) is sadly usually copied into the sources and not a shared library.

From the buildlog for emacs:
...
[ 1167s]   CC       time_rz.o
[ 1168s]   AR       libgnu.a
[ 1168s] make[2]: Leaving directory '/home/abuild/rpmbuild/BUILD/emacs-25.2/lib'
Comment 6 Marcus Meissner 2017-05-02 11:00:46 UTC
The upstream CVE database is only updated when an issue is marked as published, so far apparently no one has done that yet.
Comment 7 Dr. Werner Fink 2017-05-02 11:04:42 UTC
Can I submit this to Factory?
Comment 8 Marcus Meissner 2017-05-02 11:10:44 UTC
Yes, it is public.
Comment 9 Dr. Werner Fink 2017-06-19 13:11:11 UTC
This one is fixed